Posted
by
timothy
on Friday August 20, 2010 @10:11PM
from the splat-splat-splat dept.

CWmike writes "Google patched 10 vulnerabilities in Chrome on Thursday, but it didn't award any of the researchers who reported bugs its new top-dollar reward. Google divulged no details of the vulnerabilities and, as is its custom, it blocked public access to its bug-tracking database — a practice meant to keep attackers from using the information before most users have upgraded. Some rivals, such as Mozilla, do the same; others, like Microsoft, do not. Sergey Glazunov banked $4,674 for reporting four bugs, including the previous maximum $1,337 each for two of the quartet. A researcher known as 'kuzzcc,' who has also reported flaws in Opera to that browser's Norwegian maker, took home $2,000 for uncovering a pair of Chrome vulnerabilities. But no one received Google's new biggest bounty, which the company set at $3,133.70 last month, after Mozilla had increased its maximum vulnerability payment to $3,000."

Yes you're right. Some people don't like to accept compensation for things like this (research, volunteering, contributions). It isn't uncommon for one of them to feel trapped by their own rules of ethics, desiring payment but unwilling to take it, and then they despise others for accepting it... and themselves for wanting it.

You're basically accepting payment for lost life (which can never be recovered). "I'll spend 40 hours programming your software, and I want $1000 in return for my precious life wasted."

I assume we're still talking about collecting bounties from Google when I make the following statement. If the work you do for the possibility of money feels like wasting your life maybe you should do something else, like work for the guarantee of money or simply treat it as a hobby.

Granted - but my point was that I should not be criticized for accepting the money.

It's MY life not somebody else's, and if I want to be compensated I have that right, and they can keep their dumb-assed hippy opinion ("work for free!") to themselves. I don't like Bible thumpers preaching at me, and I certain don't need hippies preaching at me either. If I waste days of my life finding a bug, I expect payment.

One could fairly easily sell these sorts of bugs for much more than a "modest sum." I believe the common counter argument is that those finding these bugs should be given something closer to the "market price" (for bugs in something as wide-spread as IE, this can be on the order of hundreds of thousands of dollars).

I don't really agree with this argument, just thought I'd fill you in on why some people would be complaining. The fact that these bugs were found and patched means that it can't be a horrible

Instead of objective discussion,/. seems to (these days) often revolve around people throwing anger around. I simply wouldn't be surprised when people find something... anything to bitch and moan about. Heck, my post was tagged as flamebait initially. I suppose that's not too far off, but it's simply discouraging when people are so quick to make knee-jerk reactions to anything just for the sake of doing so.

If the goal is to find vulnerabilities, then yes. This is great way to encourage people to do just that.

If the goal is to maximize security for the average user, this pay-per-pwn reward scheme is a tangent at best.

"Meritocracy" does not mean rewarding people to do work. That's just "labor". Meritocracy means rewarding the right people for doing the right job, where the job in this case is ostensibly to improve security. Here, we have an incorrect solution to a problem, and therefore the quality of people pe

Nothing specifically to back it up, but I think sometimes that people really just want recognition. Google giving them a reward for finding a fix can be that recognition or hacking Google and compromising thousands of machines can be that recognition. Either way they will find the exploit. Better that Google recognizes them than a criminal enterprise.

Bollocksing up a common phrase by randomly switching in words is not "flavouring the language." It's "clouding the issue." Use the right phrase, with the right words, or don't use the phrase. You're not avant garde, you're not clever. You're uneducated. If you're ESL, that's one thing, but then you don't claim you're enjoying flavour in your language. Pretty sure you're just a tool.

The best way I ever heard someone describe this idiom was that "a boat is what you get on when the ship's sinking". When you're still on the ship everything is just fine, which means the idiom simply doesn't work. When you're in the boat though, that means there's a problem.;)

you would think you could sell this information to certain other parties for a lot more than that

and the potential for damage that can be done to the company's brand, and with all of the money the company has, you'd think they'd pay at least an order of magnitude more. and get a lot more interest in finding and reporting security flaws to boot

you would think you could sell this information to certain other parties for a lot more than that

and the potential for damage that can be done to the company's brand, and with all of the money the company has, you'd think they'd pay at least an order of magnitude more. and get a lot more interest in finding and reporting security flaws to boot

they are playing pennies for gems of information

Some of us like to play nice. Not saying I am in the category of the people who got those rewards, of course.

Certainly, without there being some that play nice there wouldn't be the terms "white hat" and "black hat" hackers - they would all be black hat.

It is kinda a Prisoners Dilemma - while yes you *could* get more if you you found the right buyer you have to *find* that buyer before the bug is found and patched. It isn't a remotely legal trade in most places so its not like they are going to advertise and chances are the people who would find this type of bug aren't in the day to day business of this type to kn

It has to be a careful balance to set bounties like this at the right amount. The information and fixes are valuable, yes. However, If they set the payout too high, it could actually encourage their employees to write buggy software in the hopes of cashing in (i.e. through a friend or family member).

...Except for the fact when Google audits the broken code and finds the person responsible for putting it in they are out a job, and my guess is, stable employment with a decent paycheck and benefits is better than a quick $3K.

...Except for the fact when Google audits the broken code and finds the person responsible for putting it in they are out a job, and my guess is, stable employment with a decent paycheck and benefits is better than a quick $3K.

Citation please. I find it hard to believe that a Google employee (or an employee of any company) would find themselves out of a job because of broken code.

I don't think that would be to much of a problem at Google. I mean I doubt many Google employees (certainly not coders) make less than 6 figures and probably with an amazing retirement plan as well. I wouldn't risk a job at Google for anything less than 7 figures.

Actually, you would be wrong... Google actually pays a fair bit less than many other tech companies, thinking that their 'rep' is some salary too. They used to rely on benefits, too - the cafeterias, etc... but have been cutting back drastically on those.

My offer from Google was within 5k of the offers from Microsoft, Amazon and Apple. Consulting companies like Booz Allen were quite a bit lower with worse benefits packages. The big financials were even worse, often 20k below in salary compared to the big companies I listed.

Google pays engineers quite well. From what I hear, non-engineers are not as lucky.

But there is an additional potential payoff. If someone finds enough bugs, I'm sure there's a chance that they could be offered a job by Google, which would most likely payoff both monetarily and socially/job security more than selling the bug details to "certain other parties".

It's probably an incremental title - the first (most) elite is elite 0, the penultimate h4x0r is elite 1, and so on...
It's a privilege to be the best - a single digit is easier to type than a half dozen are, and 0 falls on the underused right-hand side of the qwertyboard.

Why would Google do that if its updates occur frequently due to they being deltas and of smaller sizes? Would it not make any difference since users are most likely patched up already? I can understand for users who are using the portable versions--like me--unless there are more portable users than there are who install the regular app.

The reason that Google and alike are offering "bounties" on bugs is that the people behind malware do the same thing. They offer cash for exploits, not hard to find them either, just use a different search engine other than Google.

And ever since the pushed out fixes, I can't connect to a bunch of SSL sites (such as mail.google.com). Apparently the fixes broke the ability to access SSL sites from behind a corporate firewall in some cases. The fixes made Chrome nearly useless to me:(.